Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

This blog is protected by a second level of security. Unable to post.

edited February 2013 in MarsEdit
Hi I have a large post I am working on which I cannot send to my blog. A smaller test post has just published ok but with this one I am getting the following error additional password field.

"This blog is protected by a second level of security. Please enter your HTTP Basic Authentication username and password for "Name of blog".

I have logged into the site with the same username and password but it refuses it for this post and then comes up with a 403 error.

I've tried pasting the content into a new post but still the same error. Also the error is the same on both machines I have - a MacMini and also a MacBook Air.

Started this thread as Google didn't turn up any answers.

Thanks, Andy.


  • To me this sounds like xmlrpc file is protected by HTTP Basic Authentication (assuming you can log in using a web browser), you probably need a second set of user/password info (but I'm just guessing)
  • Jem, thanks as always for chiming in. Whenever you do you almost invariable have the right advice for folks :)

    Just to add a little more to this, the error message and special authentication panel you're getting from MarsEdit strongly suggest it's an authentication issue that is happening at the "HTTP" level - that is, before the blog password is even involved. Something is stopping MarsEdit from even knocking on the door to your blog, so to speak.

    If you can capture the network log it might help me to pinpoint the problem.

    1. Open MarsEdit
    2. Select Window -> Network Log from the menu bar.
    3. Clear the log if it's not already empty.
    4. Try to refresh the blog again from MarsEdit.
    5. Copy the network log contents.

    I recommend mailing the network log to me instead of pasting here. It's hard to paste the content here without the forums screwing up the formatting, and just in case there is any sensitive information in the log you won't have to worry about. Thanks!

  • Daniel, thanks. I have emailed the network log.
  • Looks like these bits are the problem on the individual post.

    Network message sent: 2013-02-26 19:55:37 +0000
    Method name: metaWeblog.editPost
    Network reply received: 2013-02-26 19:55:40 +0000
    Method name: metaWeblog.editPost
    Status code: 403
    Succeeded: NO
    --Download Error--

    Response text:

    403 Forbidden


    You don't have permission to access /blog/xmlrpc.php
    on this server.

    Additionally, a 404 Not Found
    error was encountered while trying to use an ErrorDocument to handle the request.

  • Hi Andy - thanks for sending the log and I'm sorry I didn't follow up more quickly.

    What's interesting about the log is it reveals that the server is responding successfully to many requests, just not to the editing requests.

    The fact that this is only affecting your larger post gives me an idea and reminds me of a very similar problem another customer ran into. In his case it turned out his hosting company had activated some security features on the site that would reject accesses to xmlrpc.php if the content contained certain content. In his case it literally came down to some specific short english phrase triggering the rejection.

    I would get in touch with your web hosting support team and ask them whether they think this could be the case. Send them the same network logs that you sent to me and ask if there is any security software installed and configured that could be rejecting requests based on the content POST'd to the xmlrpc.php endpoint.

  • Thanks Daniel. Sorry for the slow response on my part. Will chase this up now and report back.

  • I'malso haveing a similar issue. I sent dream host, my provider, the network log and they will email me if the problem can be resolved. I kept a record of their chat wiht me in case any issues orise. I hope this has nothign to do with the recent security flaw known as hart bleed as if it does all blogs will have to be updated wiht new softwares. and more problems will be had.
  • edited April 2014
    Marrie, same problem here with DreamHost. Their advice to me was to turn off WordFence plugin (in case you're running it, too). Didn't work for me, but something to try.
  • DreamHost customers seem to be having a terrible time lately with some recent changes they have made to their security settings. I don't know what else to suggest but to keep insisting to them that they revert the behavior to the old way it worked. It may help to capture the "Network Log" from MarsEdit (in the Window menu), and send it to them as evidence that the DreamHost-hosted WordPress installation is giving the errors.
  • My ISP, MacHighway (highly recommended) says that because they’d been the target of some Denial of Service attacks, they had added a second level of security: 2-Level Basic Authentication. Interestingly, he singled out WordPress blogs for special attention, moving them all to a single server and imposing the 2-level thing on that server. (Probably others as well, but this one I know about.)

    The system they’re using is “Google Authenticator.” [] I gather that competing systems might implement 2-level authentication in different ways, but the principle would remain the same.

    The general idea is that, after verifying legitimacy the usual way, you would encounter a second level of security. In Google’s case that involves entering an “OTP” (one time password) sent from Google. The password is a six- or eight-digit random number they provide by either SMS or voice. Think of it as like buying a movie ticket good for one showing of one movie at one specified time on one specified day.

    For me, the story doesn’t yet have a happy ending. MarsEdit is totally blameless. Its job is to assemble both good code and good supplementary content; to get it to the ISP; and to obtain permission to enter a blog and post it. What we’re talking about here is an obstacle that’s been placed between the safe delivery of the goodies and the permission to enter the blog.

    This is as far as I’ve managed to get: I’ve made the system work for accessing my Google account. That required uploading an app called “Google Authenticator” to my iPhone. It receives the one time passwords that I can use to gain access to my Google account. The six digit code changes every minute, so this is essentially a real time interaction. It requires my having had to enter my Google password; register to obtain a second, one-time password enrolling my Google account number in the program.

    Noticeably, I haven’t mentioned my blog. I got this explanation: “Please enter your HTTP Basic Authentication username and password.” (Daniel has already addressed an HTTP query.) The capitalization implies that this is a special program, requiring a special username and password. So how do I enroll? What’s my username and password? I’m still not sure what combination of username and password are being requested. And mind you, that’s after having tried various permutations of usernames and passwords that might conceivably be relevant.

    I hope anyone who figures this out (including the part played by Google Authenticator’s distributing of random number combinations) will share the answer here! I don’t want to think of the many hours I’ve invested here, or amount of frustration I have bottled up.
  • Hi Scarabus - unfortunately I don't think the "HTTP Basic Authentication" prompt from MarsEdit is related to any Google Authenticator based system that your admins may have added. It might be though that however the new protections are failing is making MarsEdit get confused and think there is a "HTTP Basic" protection on the blog.

    Typically the HTTP Basic protection is setup at the web server level and protects a whole site or portion of a site BEFORE anything that lies behind it. So it would set a password that you'd have to enter just to get through to WordPress's login.
  • Daniel, I got this note from Ron, a part of MacHighway's support team. Im going to send him a link to this thread. I've been relying on them since way back when they were known as "Itsamac," and Ron's attitude here is characteristic — and reminds me of yours!)

    Of course I want to get my blog back up and running, but I'd also like to know what's going on here. Hope you guys can figure it out.



    If there is a forum post I would like to view the thread on this, as I have a collection of "private notes" on apps like this and would like to better understand how the application works in conjunction with a webserver and google OpenID or their present reincarnation of the Google authenticator.

    Ron K.
    Tier 3 Technical Support Representative, MacHighway
  • Thanks for the update, Scarabus. Ron, if you have arrived at this thread and have any other questions about how MarsEdit authenticates with WordPress, just let me know. FWIW MarsEdit doesn't do anything special to integrate with OpenID or Google Authenticator.
Sign In or Register to comment.